SQC-652 Implement Hyperdrive binding TLS miniflare proxy. This will (#11219)

allow for wrangler dev hyperdrive bindings to connect to external
databases that require TLS.
- Supports upgrading TLS connection to database by setting
  sslmode=prefer or sslmode=require or sslmode=disable in
  localConnectionString
- Default sslmode is disable
- Adds integration tests to miniflare test suite

Co-authored-by: Adrian Gracia <agracia@cloudflare.com>

Author: Ltadrian

.changeset/cute-plums-relate.md

@@ -0,0 +1,7 @@
+---
+"miniflare": minor
+"wrangler": minor
+---
+
+Implement Hyperdrive binding TLS miniflare proxy. This will allow for wrangler dev hyperdrive bindings to connect to external
+databases that require TLS.

fixtures/vitest-pool-workers-examples/hyperdrive/global-setup.ts

@@ -2,12 +2,25 @@ import assert from "node:assert";
 import events from "node:events";
 import net from "node:net";
 import util from "node:util";
-import type { GlobalSetupContext } from "vitest/node";
+import type { TestProject } from "vitest/node";
+
+export const POSTGRES_SSL_REQUEST_PACKET = Buffer.from([
+	0x00, 0x00, 0x00, 0x08, 0x04, 0xd2, 0x16, 0x2f,
+]);
 
 // Global setup runs inside Node.js, not `workerd`
-export default async function ({ provide }: GlobalSetupContext) {
+export default async function ({ provide }: TestProject) {
 	// Start echo server on random port
-	const server = net.createServer((socket) => socket.pipe(socket));
+	const server = net.createServer((socket) => {
+		socket.on("data", (chunk) => {
+			// on postgres ssl request packet respond with 'N' to indicate no SSL support
+			if (POSTGRES_SSL_REQUEST_PACKET.equals(chunk)) {
+				socket.write("N");
+			} else {
+				socket.write(chunk);
+			}
+		});
+	});
 	const listeningPromise = events.once(server, "listening");
 	server.listen(0, "127.0.0.1");
 	await listeningPromise;

fixtures/vitest-pool-workers-examples/hyperdrive/src/index.ts

@@ -4,7 +4,14 @@ export default <ExportedHandler<Env>>{
 		if (request.body === null) return new Response();
 
 		const socket = env.ECHO_SERVER_HYPERDRIVE.connect();
-		await request.body.pipeTo(socket.writable);
-		return new Response(socket.readable);
+		const writer = socket.writable.getWriter();
+
+		// parse body
+		const value = await request.text();
+		await writer.write(new TextEncoder().encode(value));
+		const result = await socket.readable.getReader().read();
+
+		writer.close();
+		return new Response(result.value);
 	},
 };

packages/miniflare/src/index.ts

@@ -83,6 +83,7 @@ import {
 	ServiceDesignatorSchema,
 } from "./plugins/core";
 import { InspectorProxyController } from "./plugins/core/inspector-proxy";
+import { HyperdriveProxyController } from "./plugins/hyperdrive/hyperdrive-proxy";
 import { imagesLocalFetcher } from "./plugins/images/fetcher";
 import {
 	Config,
@@ -948,6 +949,9 @@ export class Miniflare {
 	#maybeInspectorProxyController?: InspectorProxyController;
 	#previousRuntimeInspectorPort?: number;
 
+	#hyperdriveProxyController: HyperdriveProxyController =
+		new HyperdriveProxyController();
+
 	constructor(opts: MiniflareOptions) {
 		// Split and validate options
 		const [sharedOpts, workerOpts] = validateOptions(opts);
@@ -1720,6 +1724,7 @@ export class Miniflare {
 				unsafeEphemeralDurableObjects,
 				queueProducers,
 				queueConsumers,
+				hyperdriveProxyController: this.#hyperdriveProxyController,
 			};
 			for (const [key, plugin] of this.#mergedPluginEntries) {
 				const workerOptions = this.#getWorkerOptsForPlugin(key, workerOpts);
@@ -2689,6 +2694,9 @@ export class Miniflare {
 			// Unregister workers from dev registry and stop the file watcher
 			await this.#devRegistry.dispose();
 
+			// shutdown hyperdrive proxies if any exist
+			await this.#hyperdriveProxyController.dispose();
+
 			// Remove from instance registry as last step in `finally`, to make sure
 			// all dispose steps complete
 			maybeInstanceRegistry?.delete(this);